Cyber Incident Victim: Forsee Power
Date:
Aug 2020
Location:
France
Summary
Netwalker ransomware operators compromised Forsee Power, a France- and US-based electromobility firm, exfiltrating sensitive operational and financial data including employee information. The attackers utilized phishing emails and exploited VPN vulnerabilities to infiltrate networks, part of a broader campaign affecting multiple organizations such as the UCSF School of Medicine and Toll Group. The FBI has previously issued warnings regarding this ransomware group's activities and advised against ransom payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 6, 2020, Netwalker ransomware operators successfully breached the networks of Forsee Power, a prominent industrial group specializing in electromobility solutions with headquarters in France and the United States. The attackers exfiltrated sensitive company data prior to deploying ransomware, as evidenced by their public disclosure of the theft. Forsee Power, which reported approximately $65 million in annual revenue and employed over 200 individuals at the time, became the latest victim added to Netwalker's leak site. Cybersecurity firm Cyble identified the disclosure, which included samples of stolen data directories such as Accounts Receivable, Finance, and Employees, indicating the compromise of financial records and personnel information. The breach exposed operational and potentially proprietary data critical to the company's position in the competitive electromobility sector. No specific details regarding ransom demands or payment negotiations were disclosed in available reports.
The incident formed part of a broader Netwalker ransomware campaign active since at least March 2020, during which threat actors consistently exploited phishing emails and vulnerabilities in virtual private network (VPN) infrastructure to gain initial network access. The FBI had previously issued alerts about Netwalker's targeting of critical infrastructure entities, including high-profile attacks against the University of California San Francisco (UCSF) School of Medicine and Australian logistics company Toll Group earlier that year. Federal authorities explicitly warned organizations against complying with ransom demands due to the lack of guarantee regarding data recovery and the likelihood of funding further criminal activity. While the exact operational disruption to Forsee Power's manufacturing or research divisions remained unspecified, the confirmed theft of financial and employee data created significant exposure risks for the company's business operations and personnel. The public disclosure of directory structures demonstrated the attackers' access to multiple organizational divisions prior to the ransomware deployment phase.